consul/troubleshoot/proxy/certs.go

93 lines
2.5 KiB
Go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package troubleshoot
import (
"fmt"
"time"
envoy_admin_v3 "github.com/envoyproxy/go-control-plane/envoy/admin/v3"
"github.com/hashicorp/consul/troubleshoot/validate"
"google.golang.org/protobuf/encoding/protojson"
)
func (t *Troubleshoot) validateCerts(certs *envoy_admin_v3.Certificates) validate.Messages {
var certMessages validate.Messages
// TODO: we can probably warn if the expiration date is close
now := time.Now()
if certs == nil {
msg := validate.Message{
Success: false,
Message: "Certificate object is nil in the proxy configuration",
PossibleActions: []string{
"Check the logs of the Consul agent configuring the local proxy and ensure XDS updates are being sent to the proxy",
},
}
return []validate.Message{msg}
}
if len(certs.GetCertificates()) == 0 {
msg := validate.Message{
Success: false,
Message: "No certificates found",
PossibleActions: []string{
"Check the logs of the Consul agent configuring the local proxy and ensure XDS updates are being sent to the proxy",
},
}
return []validate.Message{msg}
}
for _, cert := range certs.GetCertificates() {
for _, cacert := range cert.GetCaCert() {
if now.After(cacert.GetExpirationTime().AsTime()) {
msg := validate.Message{
Success: false,
Message: "CA certificate is expired",
PossibleActions: []string{
"Check the logs of the Consul agent configuring the local proxy and ensure XDS updates are being sent to the proxy",
},
}
certMessages = append(certMessages, msg)
}
}
for _, cc := range cert.GetCertChain() {
if now.After(cc.GetExpirationTime().AsTime()) {
msg := validate.Message{
Success: false,
Message: "Certificate chain is expired",
PossibleActions: []string{
"Check the logs of the Consul agent configuring the local proxy and ensure XDS updates are being sent to the proxy",
},
}
certMessages = append(certMessages, msg)
}
}
}
return certMessages
}
func (t *Troubleshoot) getEnvoyCerts() (*envoy_admin_v3.Certificates, error) {
certsRaw, err := t.request("certs?format=json")
if err != nil {
return nil, fmt.Errorf("error in requesting Envoy Admin API /certs endpoint: %w", err)
}
certs := &envoy_admin_v3.Certificates{}
unmarshal := &protojson.UnmarshalOptions{
DiscardUnknown: true,
}
err = unmarshal.Unmarshal(certsRaw, certs)
if err != nil {
return nil, fmt.Errorf("error in unmarshalling /certs response: %w", err)
}
t.envoyCerts = certs
return certs, nil
}